b'Final Audit Report, \xe2\x80\x9cNASA\xe2\x80\x99s Reporting of Performance Measure Data for the Federal\nInformation Security Management Act (FISMA) Needed Improvement at Four Centers\nand NASA Headquarters\xe2\x80\x9d (Report No. IG-07-023; Assignment No A-06-015-00)\n\nOn September 6, 2007, the NASA Office of Inspector General issued the final report\non our audit of NASA\xe2\x80\x99s reporting of FISMA performance measure data for FY 2006.\nWe reviewed selected information technology systems at four Centers and NASA\nHeadquarters to determine whether they had satisfied the following FISMA performance\nmeasures: (1) a current National Institute of Standards and Technology (NIST)-compliant\ncertification and accreditation (C&A) completed; (2) security controls reviewed within\nthe past year; and (3) a contingency plan prepared, approved, and tested within the\npast year.\n\nWe found that the four Centers and NASA Headquarters had not fully complied with the\nstandards and guidance established by NIST, as required by FISMA. Of the 18 systems\nthat we reviewed, 15 systems lacked a NIST-compliant C&A, 13 systems had not\nundergone a security control review in the past year, and 6 systems lacked a tested\ncontingency plan. Additionally, we found that NASA\xe2\x80\x99s databases contained inaccurate\ndata on the systems that we reviewed and, when we compared data from the databases\nwith NASA\xe2\x80\x99s FISMA report for the March 2006 quarter, we found discrepancies. As a\nresult, we concluded that NASA\xe2\x80\x99s FISMA performance measure data were unreliable\nindicators of the overall status of the Agency\xe2\x80\x99s security program.\n\nWe recommended that Center and Headquarters Chief Information Officers (CIOs)\nensure compliance with NIST requirements for C&As, annual reviews, and contingency\nplan testing for systems under their purview. We also recommended that the NASA CIO\nvalidate the performance measure data reported in the FISMA quarterly reports and retain\ndocumentary support for the reported data. Management concurred with all of the\nreport\xe2\x80\x99s recommendations and provided information on corrective actions planned or\ntaken in response to those recommendations. Management\xe2\x80\x99s planned and completed\ncorrective actions were responsive to our recommendations.\n\nThe report contains NASA Information Technology/Internal Systems Data that is not\nroutinely released under the Freedom of Information Act (FOIA). To submit a FOIA\nrequest, see the online guide.\n\x0c'